v1.9.0

Outlook Plus

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:58 AM.

Analysis

This skill appears to implement the advertised Outlook integration, but it grants persistent, broad mail/calendar authority and exposes send/delete/update actions without clear approval guardrails.

GuidanceInstall only if you want this agent to manage your Outlook mail and calendar. Before authorizing, verify the source/version, review the Microsoft consent screen, keep ~/.outlook-mcp private, avoid unusual account names, require manual confirmation for any send/delete/move/calendar mutation, and revoke the Azure app or tokens when you no longer need the skill.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

./scripts/outlook-mail.sh send <to> <subj> <body> # Send new email ... ./scripts/outlook-mail.sh delete <id> # Move to trash ... ./scripts/outlook-calendar.sh delete <id> # Delete event

The skill exposes high-impact account-mutation commands. Unlike token printing, the artifacts do not show confirmation requirements before sending email or deleting mail/calendar data.

User impactAn incorrect or unintended invocation could send mail as the user, delete or move messages, or change calendar events.

RecommendationRequire explicit user confirmation and a preview for all send, delete, move, archive, calendar create, calendar update, and calendar delete actions; consider making read-only behavior the default.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/outlook-setup.sh

ACCOUNT="$2" ... CONFIG_DIR="$BASE_DIR/$ACCOUNT" ... cat > "$CONFIG_FILE" ... echo "$TOKEN_RESPONSE" > "$CREDS_FILE"

The account name is used directly to build credential file paths, with no validation shown to block slashes or '..' path traversal.

User impactA malformed account name could cause credential files to be written to or read from an unintended local path.

RecommendationValidate account names with a strict safe pattern such as letters, numbers, underscores, and dashes, and ensure resolved paths remain under ~/.outlook-mcp.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

_meta.json

"slug": "outlook", "version": "1.4.0"

The included metadata does not match the supplied registry identity of outlook-plus version 1.9.0, creating a provenance/version consistency gap for a high-privilege skill.

User impactIt may be harder to verify exactly which package version and publisher identity you are trusting.

RecommendationVerify the source repository, release/version, and publisher identity before authorizing Microsoft account access.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/outlook-setup.sh

SCOPES="https://graph.microsoft.com/Mail.ReadWrite https://graph.microsoft.com/Mail.Send https://graph.microsoft.com/Calendars.ReadWrite offline_access"

These delegated Microsoft Graph scopes allow reading and modifying mail, sending mail, modifying calendars, and refreshing access without repeated sign-in.

User impactInstalling and authorizing this skill gives it persistent authority over sensitive mailbox and calendar data until revoked.

RecommendationOnly authorize this if full mail/calendar management is intended; review the Microsoft consent screen, use the least-privileged account possible, and revoke the app/tokens when no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/outlook-mail.sh

body: (if .body.contentType == "html" then (.body.content | gsub("<[^>]*>"; "") ... | .[0:2000]) else .body.content[0:2000] end)

The script retrieves email body content into the agent-visible output. This is expected for an email skill, but email content is private and may contain untrusted instructions.

User impactPrivate message content may enter the agent context, and malicious email text could influence responses if treated as instructions.

RecommendationTreat email content as untrusted data, avoid following instructions found inside messages unless the user confirms, and limit message reads to what the user requested.